Bug 1287745 - RFE: Add more fields to use composing audit rules to the exclude filter
Summary: RFE: Add more fields to use composing audit rules to the exclude filter
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Paul Moore
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-02 15:13 UTC by Steve Grubb
Modified: 2016-06-02 19:43 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-06-02 19:43:34 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Steve Grubb 2015-12-02 15:13:00 UTC
Description of problem:
The exclude filter was created a long time ago to filter out SE Linux AVC's to meet the Common Criteria profile for CAPP. Currently the only field that can be used for filtering is the msgtype field. There are times when an admin may want to exclude events coming from user space or syscall events using uid, auid, session id, or even selinux types.

The lowest common denominator is the credentials that come from netlink during user space originating events. It might be possible to combine the filters for user and exclude which would give a little more flexibility in writing rules for the exclude filter. The only issue is the semantics are different between them. The user filter passes selected events where the exclude deletes selected events.

Comment 1 Paul Moore 2016-04-06 23:28:55 UTC
Upstream issue:

 * https://github.com/linux-audit/audit-kernel/issues/5

Comment 2 Paul Moore 2016-06-02 19:43:34 UTC
Closing this as we are tracking upstream RFEs on GitHub now, see link on comment #1.


Note You need to log in before you can comment on or make changes to this bug.